Should I put cert at both App Gw and Web App level - azure-application-gateway

I have uploaded cert on azure application gateway but does not have done SSL binding at web app. Do I need to do SSL binding at web app level even I have uploaded cert on App GW?

If you are deploying Azure Web App behind Application gateway, in end to end scenarios you don't need to add auth cert. You can just enable App Service check box.
The reason being if the cert in Web App changes without notice, it will bring down the site. So, you don't need to add the cert to Application Gateway HTTP settings.

Related

SSL local/remote Cert for DotNetCore API

I'm a newbie when it comes to certificates.
I'm building a Linux docker image with a Dot Net Core REST WebAPI app that will host the backend for a game. I plan to host this backend on Azure using a Container Instance.
I'd like all communication to be via SSL. I've created a self-signed cert for local communication from my Windows machine to the container. Once I registered it in my hosts file, the self-signed cert is working fine locally.
Now I'm ready to host on Azure. I'm prepared to obtain a CA cert, but am trying to work out how to maintain local access w/o cert errors as well as public access w/o cert errors without modifying the container between my local/debug sessions and the production/remote sessions. I'd prefer to have a single certificate, if possible.
Can anyone give me guidance on how to setup a cert for this situation? Seems like a common need, but I'm not finding resources to walk me through it. Thanks!

How to handle https for a containerized OIDC server in local development?

I have an OpenID Connect server (OpenIDdict) and an asp.net core webapp in containers behind a TLS termination proxy. In production, all communication between the webapp and the OIDC server can go through the 'outside', based on their public names. However, in development, I'm using self signed certificates that aren't trusted by the containers running the apps, only by my host pc. Because of that, in development, the webapp can redirect the browser to the OIDC server just fine, but when it, for instance, needs to call the token endpoint, it will fail, because the certificate isn't trusted.
A possible solution would be to have the server to server communication go through the internal container network, but I haven't been able to get that to work. Is there a way to make the asp.net core OpenID Connect middleware use a different url (and protocol) for server to server communication?
Another solution would be to install the self signed certificates in the containers, but because that's only needed in development, it seems bad practice to burden the images with that. Is that assessment correct?
I'm hoping I'm missing the most obvious solution. Any ideas?
This is what I ended up doing:
I added a custom domain to the hosts file of my pc, pointing to itself.
Using openssl, I created a rootDevCA.crt and added it to the trusted root on my pc and in all the container images.
With that root certificate, I signed a new certificate for the custom domain and supplied that (including its key) to the proxy.
As long as I keep the key file for the root certificate far away from my source code, there should be no security issues.

How to setup domain with SSL in Heroku

I am trying to setup my own domain with an SSL certificate but I just can't get it right. Do I have to put as a DNS the app URL or the DNS generated when I add my domain? I am using GoDaddy and I have seen a lot tutorials saying some of them that you have to use the *.herokuapp.com DNS and other say that the DNS generated in Heroku.
Also, when I look for my app in Google it says that the certificate is not valid for *.herokuapp.com but the one I uploaded was for my personal domain!
At last, sometimes I get the error NET::ERR_CERT_COMMON_NAME_INVALID, can someone help me please?
Automatic Certificate Management (ACM)
The simplest solution doesn't even require you to buy an SSL certificate, but you do need a paid dyno on Heroku. The $7 hobby tier works fine.
Add the custom domain to your app's domains using the CLI or web interface:
heroku domains:add www.custom-domain.com
Run heroku domains to see what your Heroku DNS target is (this is probably your-app.herokudns.com—note that this is not a .herokuapp.com domain)
Add a CNAME record in your DNS registrar pointing to your DNS target
Enable ACM by running
heroku certs:auto:enable
Wait for your certificate to be generated and enabled
It takes approximately 45 - 60 minutes to fully generate a TLS certificate for custom domains on your application. You can view the status of the certificate that is generated for all of your custom domains by running:
heroku certs:auto
If your status says “DNS Verified”, the process is not finished yet. It means we have verified your domain status and are still in the process of submitting it to Let’s Encrypt. The process will be complete when it says “OK”.
Congratulations! Your site should now have ACM enabled.
ACM is powered by Let's Encrypt, a fantastic free service for adding HTTPS to the web.
Custom certificates
It is also possible to set up HTTPS on Heroku using a custom TLS certificate. But ACM is much easier, and that's what I recommend using.

Phonegap app unable to connect to development server due to untrusted certificate

I am trying to allow an HTML5 app deployed to an iPad via Phonegap to connect to web services provided by my development server. The development server has a self-signed certificate. I was able to export my cert in p12 format (with the private key), and using the iPhone Configuration Utility I was able to create a configuration profile and and install it to my iPad. When I look under General -> Profiles on the iPad I can see my configuration profile, and it says "Verified" with a green checkmark. However, it is signed with a signing certificate generated by the iPhone Configuration Utility that is NOT trusted. I believe this is causing web services to fail.
If I hit web services on a production server everything works fine, because the certificate that server has is verified by a major 3rd party issuer. The only problem is hitting my development server. I am able to hit the development server using the host name that the self-signed certificate was issued for by having my iPad hit a proxy server, which has an /etc/hosts entry that resolves to the correct host name. I can hit this site in Chrome on the iPad so I know that is working. However, Chrome also throws up a warning because the certificate is not trusted. It SHOULD be trusted. This works fine on a laptop computer, or in the iOS simulator (for that I had to import the cert into the simulator). It is only on an actual physical device that it won't work.
Surely this kind of dev setup is typical for iOS apps using web services. Can anyone suggest a course of action? Is there a way to get the signing certificate produced by the iPhone Configuration Utility to be trusted?

APNS setup for the server

I'm trying to setup our APNS server. I was looking at the instructions on this page:
http://www.raywenderlich.com/3443/apple-push-notification-services-tutorial-part-12
I'm understanding everything. Problem is that I have a website already SSL enables (SSL terminates at the load balancer) on AWS, following these instructions a while back:
"Public key certificate and private key doesn't match" when using Godaddy issued certificate
The website for APNS is telling me to get a CSR file, etc. But if I already have this SSL certification done, does it mean I have to start from scratch and re-key my key? :( I wasn't able to find information regarding this...
The APNS CSR has nothing to do with any certificates you already have.
You have to create certificates in the developer area of apples websites. You don't install those certificates to the web server... they are only used from the php script on your server to connect to the apple server as a client. Your script has to load them while they run.. but they are not installed in the web server or load balancer.

Resources